The Policy Agent's Role in CDSSO

The Java EE Policy Agent's Role

Based upon the appropriate HTTP protocols, an SSO token is presented
to servers in the DNS domain that is set in the cookie. A server may
only set a cookie within their own domain. So despite having a valid
SSO token cookie in one domain, policy agent-protected servers in
other domains are never presented with this cookie.

CDSSO overcomes the problem with coordinated work between two
components:

The CDSSO Redirect Servlet extracts the SSO Token sent by the
CDC Servlet, and then sets the same SSO Token cookie again. This time
the SSO Token is set with the policy agent's fully qualified host
name as the cookie domain. This process essentially replicates the
SSO Token in the policy agent DNS domain from the OpenSSO Enterprise
DNS domain. The following figure illustrates the CDC servlet and CDSSO
Redirect Servlet process flows.

Figure 16–2 Process flow for CDC Servlet and CDSSO Redirect
Servlet

The Web Policy Agent's Role in CDSSO

The Web Policy Agent works similarly as the Java EE Policy Agent
except for a slight variance. No CDSSO Redirect Servlet exists on
the web policy agent because the agent is an NSAPI plug-in. As a result,
the web policy agent combines the above steps 11 through 13 into a
single step with no redirection.